A Patch to Fix the Net

A Patch to Fix the Net

On Tuesday, major vendors
released patches to address a flaw in the underpinnings of the Internet, in
what researchers say is the largest synchronized security update in the history
of the Web. Vendors and security researchers are hoping that their coordinated
efforts will get the fix out to most of the systems that need it before
attackers are able to identify the flaw and begin to exploit it. Attackers
could use the flaw to control Internet traffic, potentially directing users to
phishing sites or sites loaded with malicious software.

Discovered six months ago by
security researcher Dan Kaminsky,
director of penetration testing services at IOActive,
the flaw is in the domain name system, a core element of the Web that helps
systems connected to the Internet locate each other. Kaminsky likens the domain
name system to the telephone company’s 411 system. When a user types in a Web
address–technologyreview.com–the domain name system matches it to the
numerical address of the corresponding Web server–69.147.160.210. It’s like
giving a name to 411 and receiving a phone number, Kaminsky says.

The flaw that Kaminsky found
could allow attackers to take control of the system and direct Internet traffic
wherever they want it to go. The worst-case scenario, he says, could look
pretty bleak. “You’d have the Internet, but it wouldn’t be the Internet
you expect,” Kaminsky says. A user might type in the address for the Bank
of America
website, for example, and be redirected to a phishing site created by an
attacker.

Details of the flaw are being
kept secret for now. After Kaminsky discovered it, he quietly notified the major
vendors of hardware and software for domain name servers. In March, he was one
of 16 researchers who met at Microsoft’s
Redmond, WA,
campus to plan how to deal with the flaw without releasing information that
could help attackers. The researchers began working with vendors to release
patches simultaneously. Also, since patches are known for giving away information
that can help attackers reverse-engineer malicious software, the researchers
chose a fix that kept the exact nature of the problem hidden. “We’ve done
everything in our power up to and including selecting an obscure fix to provide
the good guys with as much of an advantage as possible,” Kaminsky says.
“The advantage won’t last forever. We think–we hope–it’ll last a
month.”

Since the flaw is in the design
of the domain name system itself, it afflicts products made by a variety of
vendors, including Microsoft, Cisco, Sun Microsystems, and Red Hat,
according to a report
released by the U.S. Department of Homeland Security’s Computer Emergency Readiness
Team. The flaw also poses more problems for servers than it does for Web
surfers, so vendors are focusing on getting patches to Internet service
providers and company networks that might be vulnerable. Most home users will
be covered by automatic updates to their operating systems.